—

MAL-2026-6338

Malicious code in log-taker (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (35623f56ea43d8a9a7ac1caa84678ed40d6923fdf19d8d23f7d4aacdde1a8c4a) index.js requires child_process and invokes execSync with bash and zsh shells (around lines 315 and 331). The available evidence does not establish what commands are run, whether the calls fire at install/import time or only when a caller invokes a specific exported function, or whether any installer data is exfiltrated to a network destination. The package name suggests a log-collection tool, which can legitimately shell out to system utilities, but the shell-execution surface combined with the absence of clear scoping warrants human review of the actual command strings and reachability before recommending the package to installers.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / log-taker

No fixed version published yet for log-taker (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/log-taker/v/0.1.0 [PACKAGE]